0

My current stack has Varnish -> NGINX (2 servers) running Drupal -> MySql.

All static content is cached and served by Varnish over HTTP. However when a user signs-up and wants to purchase a plan the connection to the payment gateway is over HTTPS. Currently the certificate is implemented on one of the NGINX servers. The A record of the domain points to this NGINX server.

I intend to point the A record of the domain to the Varnish server so that I can benefit from Varnish's caching instead of loading the NGINX server. Any visitor who intends to purchase will be passed through to NGINX. I have two doubts

  1. Should I generate another certificate for the second NGINX server or just implementing the certificate that's available on first server onto the second one suffice?
  2. Will this setup cause any problems? I get this feeling because the server(s) that contains the certificate no longer has the domain mapped to it.

EDIT: I intend to have Varnish listen on port 443 and make it pass all HTTPS requests to the NGINX server

Improve this question
2
  • 1
    Right - if the Varnish box doesn't listen on 443, there will be problems with connecting to SSL on that domain. An HTTP server or simple SSL wrapper like stunnel listening on 443, then sending traffic to Varnish, might do the job nicely for your setup. Commented Apr 11, 2014 at 6:09
  • Why do you need Varnish at all? Nginx has a great cache too. Commented Apr 11, 2014 at 20:28

1 Answer 1

Reset to default
2

Varnish does not support SSL-wrapped (https) traffic, hence you have to use an SSL terminator in front of it.

Several different applications can be used for this. They all terminate SSL and forward plain http traffic to your backend (Varnish):

  • a (standard) http web server which supports SSL - like Apache or nginx
  • a purpose-specific SSL terminator (called a wrapper) like stud or stunnel
  • a purpose-specific reverse proxy / load balancer with SSL support like pound

An application specifically developed to terminate SSL and/or proxy requests is preferrable.
As a webserver, nginx would fit better than Apache as it is generally considered faster for static content or proxying.
nginx also makes it easy to compile a specific build with minimum overhead which only contains all necessary modules (http_core, http_proxy and http_ssl modules).

When all SSL is terminated at the terminator, your backend nginx instances do not need to know anything about SSL at all (except returning the correct hostname and scheme in all links).
Hence, it does not require the certificate and private key.

Improve this answer
6
  • Does that mean I should have Pound/stunnel listen on 80 and 443, Varnish on 6081 and NGINX on 8080 and have the A records point to the ip on which pound is installed? Commented Apr 11, 2014 at 9:35
  • @sridharpandurangiah Either that, or you let Varnish also listen on port 80 and your SSL terminator on port 443. Other than web servers and proxies/load balancers, stunnel is a plain SSL terminator, meaning it cannot do anything but terminate SSL. Hence, stunnel should only listen on port 443. For web servers and proxies, you may want to use additional features on your front-end like compression (compressing on your backend would make Varnish cache a version for each compression being used -- deflate, gzip and, none). If SSL is your only concern, stunnel would probably be best. Commented Apr 11, 2014 at 9:56
  • "Either that, or you let Varnish also listen on port 80 and your SSL terminator on port 443" Commented Apr 11, 2014 at 11:46
  • "Either that, or you let Varnish also listen on port 80 and your SSL terminator on port 443" <-This is interesting. Does it mean that stunnel will pass the SSL requests straight through to NGINX webserver without having to pass it through Varnish? (I don't see a reason for it to pass through varnish) Commented Apr 11, 2014 at 11:59
  • @sridharpandurangiah Wait, wasn't your initial thought to pass SSL through Varnish? I intend to point the A record of the domain to the Varnish server so that I can benefit from Varnish's caching instead of loading the NGINX server. Of course you can configure stunnel to directly forward to nginx but wouldn't that defeat the purpose of the question? If you wanted to not pass through Varnish then your current setup is fine, isn't it? Commented Apr 11, 2014 at 16:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.